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(54) Apparatus and method for accessing secured data stored in a portable data carrier 



(57) A portable data carrier includes a secure 
processing element and a co-located directory. A mem- 
ory element is substantially separated by the secure 
processing element and disposed within the portable 
data carrier. A secure processor command stemming 
from an operator input is then used to access a portion 



of the directory that includes an address key. The 
address key is then used to de scramble an address in 
the memory element, which address location includes a 
representation of the data record. 
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Description 
Field of the Invention 

The present invention relates generally to a porta- s 
ble data carrier designed for storing large amounts of 
data, and in particular to a method and apparatus for 
accessing secured data stored in such a portable data 
carrier. 

H 

Background of the Invention 

Portable data carriers (e.g., smart cards or chip 
cards) are known to include a plastic substrate in which 
a semiconductor device Q.e., integrated circuit-IC) is 15 
disposed for retaining digital data. This digital data may 
constitute program instructions, user information, or any 
combination thereof. Moreover, these smart cards are 
known to be operational in a contacted mode, whereby 
an array of contact points disposed on the plastic sub- 20 
strate and interconnected with the semiconductor 
device is used to exchange electrical signals between 
the chip card an external card reader, or terminal. Simi- 
larly, there exists smart cards that operate in a contact- 
less mode, whereby a radio frequency (RF) receiving 25 
circuit is employed to exchange data between the card 
and a card terminal. That is, the card need not come 
into physical contact with the card terminal in order to 
exchange data therewith, but rather must simply be 
placed within a predetermined range of the terminal. 30 

Additionally, there exist smart cards that are alter- 
natively operational in either a contacted mode or a con- 
tactless mode. Such cards are equipped with both RF 
receiving circuitry (for contactless operations) as well as 
an array of contact pads (for contacted operations), ss 
These smart cards are commonly referred to as combi- 
nation cards, or combi -cards. It should be noted that in 
both the contact-only card and the combi-card arrange- 
ments, the array of contact pads typically conform to the 
ISO Standard 7816, which standard is incorporated 40 
herein by reference. 

One of the problems of prior art smart cards is the 
increasing need for additional memory for the storage of 
data records. That is, as the functional capabilities of 
these smart cards increase, so too does the require- 45 
ment for storing data fa access by the cardholder. Typ- 
ically, the resident memory on the smart card integrated 
circuit (IC) is not large enough to store large amounts of 
data. Of course, mass memory cards (MMCs) are avail- 
able today, and are small enough for use in a smart card so 
application. However, information stored on such a 
stand-alone MMC will not be secure, as these MMCs 
typically do not have the level of security required for 
smart card applications. 

The need for security in a smart card application is ss 
well established, and cardholders insist on having their 
smart card data secure from illicit access. By way of 
example, a cardholder's medical records, bank account 



numbers, credit information, and other valuable pieces 
of data may be stored on the smart card. In fact, stored 
value cards (i.e., card? that can be loaded with one or 
more types of currency for use by the cardholder in debit 
transactions) may be the best example of the special 
needs for security in smart card applications. 

Accordingly, there exists a need fa a method and 
apparatus for securely accessing large amounts of data 
stored on a smart card. In particular, a smart card that 
was able to advantageously employ a mass memory 
device, together with a secure access protocol would be 
an improvement over the prior art 

Brief Description of the Drawings. 

FIG. 1 shows a simplified block diagram of a smart 
card, in accordance with the present invention; 

FIG. 2 shows a graphical representation of the 
secure directory shown in FIG. 1 ; 

FIG. 3 shows a graphical representation of a por- 
tion of non-volatile memory, as shown in FIG. 1 ; 

FIG. 4 shows a flow diagram depicting operation of 
the smart card access method, according to the 
present invention; 

FIG. 5 shows a more detailed flow diagram depict- 
ing the record processing method, in accordance 
with the present invention; and 

FIG 6 shows a memory element that includes 
exemplary data records, in accordance with the 
present invention. 

Detailed Description a Preferred Embodiment. 

The present invention encompasses a method and 
apparatus for secure access to a memory dement that 
is substantially separated from a secure processing ele- 
ment of a smart card. The secure processing element 
includes a directory that is co-located therewith and 
accesses the directory in response to a secure proces- 
sor command. Upon retrieving an address key, the 
address key is used to de scramble an address location 
that contains a representation of the data record being 
accessed. In this manner, a large, separated memory 
element can be used to securely store data by taking 
advantage of a secure access directory that is co- 
located with the secure processing element. 

The present invention can be better understood 
with reference to FIGS. 1-6. FIG. 1 shows smart card 
100 that includes a substrate 102 within which is dis- 
posed a secure processing element 104 and a separate 
mass memory element 105. The secure processing ele- 
ment (SPE) 104, which may be a semiconductor device 
designed for smart card applications, is further co- 



2 



5 



EP0856 818A2 



6 



the data scrambler/de-scrambler device 110. The 
address de-scrambler 112 is then used to de scramble 
(504) the memory element address using the address 
decryption key stored in non-volatile memory section 
304 shown in FIG. 3. In a preferred embodiment, the $ 
foregoing steps are employed for each type of opera- 
tion, whether they are read, write, or erase operations. 
Similarly, the following steps are taken in response to 
the type of operation requested by the operator, which 
operation has already been authorized. w 

A decision is reached (506) to determine whether 
or not the intended operation is a READ operation. If the 
operation is a READ operation, the scrambled data is 
fetched (508) from the memory location corresponding 
to the address found in the string array Next the is 
fetched data is de-scrambled (510) using the data key 
retrieved (step 502 above) and using the data de- 
scrambler 110. Lastly, the de-scrambled data is placed 
(512) onto the data bus for processing by the secure 
processing element 1 04, before the routine is exited. 20 

If it is determined at step 506 that a READ opera- 
tion is not intended, a decision (51 4) is reached to deter- 
mine whether or not the intended operation is an 
ERASE operation. If not, meaning that the intended 
operation is a WRITE operation, data is fetched (516) 25 
from the SPE bus and scrambled (51 8) using the appro- 
priate data key, as earlier described. If the intended 
operation is an ERASE operation, NUL data (e.g. all 
zeroes, or all ones) is presented to the memory. In 
either case, the data (scrambled or NUL) is then put 30 
(522) into the memory location corresponding to the de- 
scrambled address, as earlier determined, before the 
routine is exited. In the foregoing manner, records 
stored in memory element 105 can be processed in a 
secure manner by relying on the security features of the 35 
secure processing element and non-volatile memory 
106 (including the directory 108). 

In order to better illustrate the preferred embodi- 
ment of the invention, an example is provided using 
FIG. 6 and FIG. 2 as follows: ao 

it is assumed that memory element 105 appears 
generally as illustrated in FIG. 6. and is preferably 512 
bytes wide and 2048 records in length. In this example, 
no data records (which may indicate erased or initialized 
record states) are shown in memory locations 0, 1 , and 45 
2045. Likewise, a "don't care" value ("X") is shown in 
locations 2, 3, 765 and 2047, as these records are not 
accessed in the example given. According to the exam- 
ple, a data record to be accessed is distributed across 
four non-contiguous memory locations. Referring now so 
to FIG. 2, directory location 601 comprises a string 
array that includes address location 5, 764, 4, and 2046 
followed by a NUL value to thereby represent the loca- 
tions in which the desired information is stored. Simi- 
larly, directory location 603 shows the data key value of 55 
05D. As earlier noted the data keys can be any size, but 
the exemplary is 4 bytes. 

Referring again to FIG. 6, it is noted that the record 



of interest is stored sequentially in memory locations 
605-608, as shown. Correspondingly , the sequence of 
these memory locations (i.e., the sequence needed to 
place the full record in proper order) is given in directory 
location 601 shown in FIG. 2. In particular, a first seg- 
ment of the record--REC(1)~is shown in memory loca- 
tion 605. Similarly REC(2)-REC(4) are stored in 
memory locations 606-608. In this manner, a series of 
scrambled address locations can be de-scrambled and 
used to retrieve non-contiguous portions of a larger data 
record. These portions can then be concatenated for 
use by the secure processing element (e.g., displayed 
on a terminal) for use by the operator of the smart card. 
This record may be, for example, a medical record that 
includes a doctor's name, and the last three visits made 
to the doctor. Lastly, an access processor 610 is 
included in the memory that is responsive to the control 
signal 116 to enable and disable the memory element 
105, as earlier described. 

Accordingly, the present invention allows for a multi- 
tiered security mechanism that can be used in smart 
card applications. Moreover, a mass memory element 
can be advantageously employed to store many data 
records in a secure fashion. 

Claims 

1. In a portable data carrier that includes a secure 
processing element having a directory that is co- 
located with the secure processing element, the 
portable data carrier further having a memory ele- 
ment that is substantially separated from the secure 
processing dement, a method of accessing a data 
record stored in the memory element comprising 
the steps of: 

receiving an operation command from a termi- 
nal, which operation command corresponds to 
a secure processor command; 

accessing a portion of the directory using the 
secure processor command to thereby retrieve 
an address key; and 

using the retrieved address key to descramble 
an address in the memory element, to produce 
a descrambled address location that contains a 
representation of the data record. 

2. The method of claim 1 , wherein the representation 
of the data record comprises a scrambled data 
record, further comprising the steps of: 

retrieving a data key from the directory; and 

using the retrieved data key to descramble the 
scrambled data record. 
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3. The method of claim 2, wherein the retrieved data 
key varies for each of a plurality of entries in the 
directory. 

4. The method of claim 1, further comprising the step s 
of determining whether a cardholder is authorized 

to access the data record. 



a first descrambier, coupled to receive a key 
input from the directory; and 

a memory element, located substantially apart 
from the secure processing element, coupled 
to exchange information with the first descram- 
bier. 



5. The method of claim 5, further comprising the step 

of determining access rights of the cardholder, 10 
depending on an intended operation type. 

6. In a portable data carrier that includes a secure 
processing element having a directory that is co- 
located with the secure processing element the is 
portable data carrier further having a memory ele- 
ment that is substantially separated from the secure 
processing element a method of accessing a data 
record stored in the memory element comprising 

the steps of: 20 

accepting an operation command from a termi- 
nal, which operation command corresponds to 
a secure processor command; 

25 

accessing a portion of the directory using the 
secure processor command to thereby retrieve 
a data key; and 



11. The portable data carrier of claim 10. wherein the 
first descrambier comprises an address descram- 
bier, further comprising a data descrambier, cou- 
pled to exchange data between the memory 
element and the secure processing element. 



using the retrieved data key to descramble a 30 
representation of the data record located in the 
memory element 

7. The method of claim 6, wherein the representation 
of the data record resides in a scrambled address 35 
location, further comprising the steps of: 

retrieving an address key from a non-volatile 
memory portion of the secure processing ele- 
ment; and 40 



using the retrieved address key to descramble 
the scrambled address location. 



8. The method of claim 6, further comprising the step 45 
of determining access rights of a cardholder. 

9. The method of claim 8, further comprising the step 
of determining whether the cardholder is authorized 

to access the data record. bo 



1 0. A portable data carrier, comprising: 



a secure processing element 

55 

a directory co-located with the secure process- 
ing element; 
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